Decrypting a password-protected 7z file with Delta filter fails

I have made a 7z archive using Delta filter containing a wav file and I have protected it with a password. I am running a terminal in Kali Linux. My problem is that I cannot get the password cracked using 7z2john.pl and john the ripper. If I omit the Delta compression, using only the default compression of 7z, then the cracking succeeds. My question: is it possible to use 7z2john.pl and john the ripper to crack a password-protected 7z file with Delta compression? If it is possible, how can it be done?

Here are the steps to reproduce the problem:

  1. I use the following command to create the archive:

7z a test.7z *.wav -mf=Delta:4 -peasy

I get this output:

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=fi_FI.utf8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-4460  CPU @ 3.20GHz (306C3),ASM,AES-NI)  Open archive: test.7z -- Path = test.7z Type = 7z Physical Size = 1090 Headers Size = 162 Method = Delta LZMA2:15 7zAES Solid = - Blocks = 1  Scanning the drive: 1 file, 32080 bytes (32 KiB)  Updating archive: test.7z  Items to compress: 1       Files read from disk: 1 Archive size: 1090 bytes (2 KiB) Everything is Ok  
  1. I use 7z2john.pl to generate material for John the Ripper to crack the archive:

/usr/share/john/7z2john.pl test.7z > test.hash

  1. I create a word list file containing only the password I gave to the archive:

echo easy > wordlist.txt

Then I try to decrypt the file:

sudo john test.hash --wordlist=wordlist.txt

I get the following output:

Using default input encoding: UTF-8 Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES]) Cost 1 (iteration count) is 524288 for all loaded hashes Cost 2 (padding size) is 3 for all loaded hashes Cost 3 (compression type) is 2 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Warning: Only 1 candidate left, minimum 32 needed for performance. 0g 0:00:00:00 DONE (2020-08-15 07:37) 0g/s 5.555p/s 5.555c/s 5.555C/s easy Session completed 
  1. I check if the password has been cracked: sudo john --show test.hash

I get the following output:

0 password hashes cracked, 1 left

So it seems that the decrypting did not succeed. However, I can extract the archive using command 7z e test.7z -peasy so the password should be correct. Also, if I create the archive without specifying the Delta filter using command 7z a test.7z *.wav -peasy. That way, by repeating the steps 1-4 I get the password cracked and am shown the result that the correct password has been found:

$   7z a test.7z *.wav -peasy  7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=fi_FI.utf8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-4460  CPU @ 3.20GHz (306C3),ASM,AES-NI)  Scanning the drive: 1 file, 32080 bytes (32 KiB)  Creating archive: test.7z  Items to compress: 1       Files read from disk: 1 Archive size: 1058 bytes (2 KiB) Everything is Ok  $   /usr/share/john/7z2john.pl test.7z > test.hash $   echo easy >> wordlist.txt $   sudo john test.hash --wordlist=wordlist.txt Using default input encoding: UTF-8 Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES]) Cost 1 (iteration count) is 524288 for all loaded hashes Cost 2 (padding size) is 11 for all loaded hashes Cost 3 (compression type) is 2 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Warning: Only 1 candidate left, minimum 32 needed for performance. easy             (test.7z) 1g 0:00:00:00 DONE (2020-08-15 07:49) 5.263g/s 5.263p/s 5.263c/s 5.263C/s easy Use the "--show" option to display all of the cracked passwords reliably Session completed $   sudo john --show test.hash test.7z:easy  1 password hash cracked, 0 left  

Security of encrypted data and decrypting key

I am writing a python program in which I use encryption. The user can set the password and when it will be an input, the database will be decrypted. However, the function needs the decryption key to decrypt. So I thought about hiding that key somewhere(encryption and decryption key will be generated dynamically which means that the user on new device will have another decryption key.). I have no idea where I could hide it, so program could use it, but the user could not crack it.

What usually happens to the symmetric (session) key after decrypting an email? Can the key be recovered if changing private keys?

I’ve been preparing for a CISSP exam and was reading about applied cryptography in regard to email.

It’s my understanding that the popular schemes (PGP,S/Mime) use a combination of asymmetric and symmetric cryptography. If I’m reading things correctly, in S/MIME, the message is encrypted using a sender generated symmetric key. In turn, the symmetric key is encrypted using the receiver’s public key.

Encrypted Email

If the receiver changed their private key, they would no longer be able to decrypt the message. However, I was wondering if it was possible to recover the symmetric key from when the email was previously opened?

My guess would be that the email client does not intentionally store the key since that would present a security risk. Just wanted to see if that actually occurs or if there’s something I’m missing.

An intranet web app for decrypting values : a bad idea, and if so, why?

We have to protect a database connection string for a .NET desktop application that has an application-level database user. One option is to encrypt a section of the app.config using asp_regiis. But then every user of the application needs to have the key installed on their PC.

If an intranet IIS server has SSL and Microsoft Windows Authentication was in place, would an ASP.NET web-app that accepted an encrypted value and returned a plain text be a viable alternative to installing the keys on every user’s machine?

With the web app, no user would be able to export the key from their local container, and so the web app approach seems the more secure of the two.

Is decrypting secrets with ccrypt and piping the result via stdin to openvpn secure?

I’ve written the following alias to start an openvpn client more easily than before:

sudo bash -c 'cd OPVN_CONFIGS_DIR && ccrypt --cat _auth.conf.cpt | openvpn --config waw-001.ovpn --auth-user-pass /dev/stdin' 

NB: OPVN_CONFIGS_DIR is located in a synced folder (lets say Dropbox for simplicity)

NB: bash -c rather than a simple expansion because this is sometimes run in fish shell

The options I had before:

  • Use auth-user-pass to store my username + password in clear text. Looks to be the default option with openvpn but seems like a bad idea in general and even more so in my case since the secrets would be stored in a synced folder.
  • Enter my openvpn username and password every time which is a pain since the password is a very long random string. I cannot set a password myself, only reset it to another, just as long, random string. (and I’m not comfortable using a CLI password manager that stores passwords in the clipboard like passwordstore.org does)

My issue is that with the previous command openvpn complains about the following:

WARNING: file '/dev/stdin' is group or others accessible 

My questions:

  • What are the implications of this warning?
  • what is the ‘group’ mentioned in the warning? The sudo group?
  • Is there a better way to manage secrets on the client side with openvpn?

Thank you

Decrypting response, using fsockopen to talk to REST API on https

When using fsockopen to build my headers and send a request to a REST API, the response appears to be encrypted. Not sure how to best proceed

I started using curl to generate the request, but I just couldn’t get the headers right, and the API wasn’t responding. Eventually I used postman to build a query that returned a valid response.

It looked like: GET /my-path/somefunction?page=2& per_page=10 HTTP/1.1 Host: myhost.com Authorization: mykey User-Agent: PostmanRuntime/7.13.0 Accept: / Cache-Control: no-cache Postman-Token: fc66e2d0-0199-46ce-9866-88ff49d2d10d,9ccfacf6-ebf0-4f6b-a089-b9dd65587bb4 accept-encoding: gzip, deflate Connection: keep-alive cache-control: no-cache

I decided to use fsockopen to generate the headers exactly like the working headers in postman, as curl wouldn’t work, and I had no way to see the headers curl was sending. The problem is the data coming back is gobbledigook – I’m guessing I am seeing encrypted SSL data coming back?

$  fp = fsockopen('ssl://' . $  host, $  port, $  errno,$  errstr,10); fputs($  fp, "GET $  path HTTP/1.1\r\n"); fputs($  fp, "Host: $  host\r\n"); fputs($  fp, "Authorization: $  apiKey\r\n"); //fputs($  fp, "User-Agent: PostmanRuntime/7.13.0\r\n"); fputs($  fp, "Accept: */*\r\n"); fputs($  fp, "Cache-Control: no-cache\r\n"); //fputs($  fp, "Postman-Token: fc66e2d0-0199-46ce-9866-88ff49d2d10d,53b431ae-9046-4546-9bb4-0a0c6fdc54c7\r\n"); //fputs($  fp, "accept-encoding: gzip, deflate\r\n"); fputs($  fp, "Connection: keep-alive\r\n"); fputs($  fp, "cache-control: no-cache\r\n\r\n"); //fputs($  fp, $  data);  $  result = '';  while(!feof($  fp)) {     // receive the results of the request     $  result .= fgets($  fp, 128); } echo $  result; 

I’m wondering how I can decrypt the data I get back?